Disabled policy rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Disabled policy rules

L4 Transporter

Hi,

 

Under monitoring , still disabled policy rules matching to some some session .
And the session status are most of them 'incomplete' .
Why ?
Thanks

3 REPLIES 3

L7 Applicator

This article gives the full definitions for incomplete status.  Basically, there is either not a full tcp handshake or not enough data to identify the flow.

 

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-Data...

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L3 Networker

Are you saying traffic is matching disabled rules?

Cyber Elite
Cyber Elite

disabled rules are not active in the system, this can be seen through the following command:

 

> show running security-policy

If the disabled rule is at the bottom of the policy it could be that the incomplete session "hits" these for logging purposes

 

What happens is that the system accepts a syn packet and starts building up a session once the syn packet is allowed to pass throught

If then the session is disrupted, the process of properly building the session and matching an appropriate App-ID and security policy fails and the session is discarded. The system then will still create a log entry and will need to have a 'rule' but since the session was disrupted before a security  policy was properly matched, it will not have a proper security policy to add to the log. it can either use a security policy that was matched for the initial handshake, or if it matched an implied rule, one of the last rules in the policy.

 

 

tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1674 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!